Google’s Ban on Third-party Cookies Could Actually Harm User Privacy

There was quite a lot of coverage earlier this month when Google announced that they would be phasing out support for third-party cookies in Chrome within the next two years. The stock price of firms like Criteo, which rely heavily on third-party cookie data for their core business, dipped sharply. The general consensus has been that this was a welcome move in terms of user privacy – but nixing third-party cookies could actually harm user privacy, by making it harder to identify irresponsible sharing of user data.

Third-party cookies are currently an indispensable part of the online advertising ecosystem. As a user visits a website, code on the site makes an http call to a “third-party” server (i.e. a different domain from that of the site itself); the third-party server then serves a cookie back to the browser, and logs the user, plus a certain amount of information about them and the site they’re visiting. It’s this mechanism that means that you can be looking at jeans on target.com and then receive endless jeans ads across the internet – the retargeting networks are able to see that you’ve viewed jeans and use this to bombard target you with jeans ads.

Third-party cookies are also very useful for advertisers who are looking to understand the behaviour of users who’ve viewed or clicked on their ads, because they enable user behaviour on the advertiser’s site to be linked back to the ads that those users have seen, wherever they were served them.

So the function of third-party cookies is essentially to hand off a little bit of information about the user from one organisation to another. But it’s not the only way to achieve this – the other approach is to use server-side cookie sync. With this approach, if I visit the jeans page on target.com, this is logged by Target’s own data collection servers, and these servers (or at least other servers within Target) exchange this info at the back-end with, say, Criteo’s servers. This does create some challenges with user matching, because there is no common ID, but those issues are surmountable (and 3P data companies have two years to build a matching table from their current third-party cookie ID data).

Server-side cookie sync is already an established approach – it’s how companies like LiveRamp and other DMPs build connections between their data and their customers’ data. The disappearance of third-party cookies, however, will make this technology much more pervasive. This is worrying because, for all their issues, the data streams created by third-party cookies (or at least third-party tagging) are at least somewhat discoverable.

This week the Electronic Frontier Foundation published a piece of research they have done into the third-party data collection that is present in Ring’s Android app. They discovered that the app, without notifying users, is sending user data to a host of third-party sites, including Facebook, MixPanel and AppsFlyer. To unearth this information, the EFF researchers had to perform some pretty nifty tricks to intercept and unpack the encrypted traffic that the app was sending to these locations. Although it wasn’t easy to do this, it was at least possible, because the data flows were passing from the client device (the phone) through the researchers’ local network (where they could install sniffers) to the internet. By modifying the app locally to circumvent its encryption, the researchers were even able to see what attributes the app was passing to the third parties.

For server-to-server data flows, none of this is possible; the servers on each end are running in private data centres, and without access to the local network or codebase, decrypting encrypted traffic is not possible (a good thing generally, by the way). Even determining that company A is transmitting data to company B is like finding a needle in a haystack.

So if advertisers, publishers and DSPs/networks move to server-to-server data flows for user data, it will likely become harder to identify careless or malign sharing of user data, like the example of Ring. Users and regulators may feel better about the disappearance of “all those weird cookies”, but the unintended consequence could well be that protecting user privacy may become a lot harder in future.

Meta

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT

Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.